How To: Quickly secure your chat commands
-
HellsWrath
- Site Admin
- Posts: 391
Now download Chaos Helper so you don't have to manually type all the commands, you can just hit buttons
viewtopic.php?f=6&t=282
viewtopic.php?f=6&t=282
Hell's Wrath of MT
http://www.twitch.tv/hellswrathmt/profile
http://www.twitch.tv/hellswrathmt/profile
THE PROVIDED REGEX IS NOT SECURE! I'm a little surprised nobody's mentioned this here in all these years, especially considering how powerful you can make meta commands, and their consequent potential for griefing people via security holes.
That regex is only "less risky" than being left wide open. It will, in fact, match ANY character's name that also has your name anywhere inside it.
If someone wanted to be a jerk, and I was running with this regex, all they'd need to do is create a character named (for example) "Evil Eskarina", and they could start ordering my characters around at will. (Someone could also create a character named "You" and run around emoting carefully crafted "commands", and that regex would match them.)
If you want genuinely secure patterns, you can't leave any .* in there (unless they're actually necessary). Here are a couple of examples (for the first part of the pattern, up to the opening quotation mark).
Matching others' messages:
^.*\>(NameA|NameB|Etc)\<.*, \"
Matching "You" messages (messages you sent, for several different channels):
^(\[Co\-Vassals\] |\[Fellowship\] )?(You) (think|say( to your (Vassals|Patron))?|tell .*), \"
Final note: The \> and \< are super important in that first pattern. Others' messages have extra stuff in them that you, as the player, don't see displayed in your Chat Window. But, those extra characters are there, nonetheless, and the regex will match to them. (See http://www.virindi.net/wiki/index.php/M ... on#Example for an example of what I mean.) Including them there on each end of the character-name-match portion of the regex will force it to match your character names, and no more.
That regex is only "less risky" than being left wide open. It will, in fact, match ANY character's name that also has your name anywhere inside it.
If someone wanted to be a jerk, and I was running with this regex, all they'd need to do is create a character named (for example) "Evil Eskarina", and they could start ordering my characters around at will. (Someone could also create a character named "You" and run around emoting carefully crafted "commands", and that regex would match them.)
If you want genuinely secure patterns, you can't leave any .* in there (unless they're actually necessary). Here are a couple of examples (for the first part of the pattern, up to the opening quotation mark).
Matching others' messages:
^.*\>(NameA|NameB|Etc)\<.*, \"
Matching "You" messages (messages you sent, for several different channels):
^(\[Co\-Vassals\] |\[Fellowship\] )?(You) (think|say( to your (Vassals|Patron))?|tell .*), \"
Final note: The \> and \< are super important in that first pattern. Others' messages have extra stuff in them that you, as the player, don't see displayed in your Chat Window. But, those extra characters are there, nonetheless, and the regex will match to them. (See http://www.virindi.net/wiki/index.php/M ... on#Example for an example of what I mean.) Including them there on each end of the character-name-match portion of the regex will force it to match your character names, and no more.